quasar | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
09/12/2024, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
Size

3.1MB
MD5

7ae9e9867e301a3fdd47d217b335d30f
SHA1

d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512

063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd
SSDEEP

49152:/vTlL26AaNeWgPhlmVqvMQ7XSKn8GE18hk/gv4oGdQTHHB72eh2NT:/vJL26AaNeWgPhlmVqkQ7XSKn8mA

Score

10^/10

quasar runtimebroker discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

Cmaster-57540.portmap.io:57540:8080

Mutex

7d0b5d0f-c185-4da8-b709-726d2f58400c

Attributes

encryption_key
6275D618DF6119CEEF062AB381785B6186B8C0EB
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
devtun

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 15 IoCs

resource	yara_rule
behavioral1/memory/2272-1-0x0000000000050000-0x0000000000374000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016650-5.dat	family_quasar
behavioral1/memory/1416-9-0x0000000001320000-0x0000000001644000-memory.dmp	family_quasar
behavioral1/memory/1052-33-0x00000000003F0000-0x0000000000714000-memory.dmp	family_quasar
behavioral1/memory/2052-44-0x0000000000FD0000-0x00000000012F4000-memory.dmp	family_quasar
behavioral1/memory/1968-55-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
behavioral1/memory/308-67-0x0000000000870000-0x0000000000B94000-memory.dmp	family_quasar
behavioral1/memory/1328-78-0x0000000000970000-0x0000000000C94000-memory.dmp	family_quasar
behavioral1/memory/1496-89-0x0000000000E20000-0x0000000001144000-memory.dmp	family_quasar
behavioral1/memory/2692-101-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/memory/2236-112-0x0000000000BA0000-0x0000000000EC4000-memory.dmp	family_quasar
behavioral1/memory/2624-124-0x0000000000EB0000-0x00000000011D4000-memory.dmp	family_quasar
behavioral1/memory/1284-135-0x0000000000ED0000-0x00000000011F4000-memory.dmp	family_quasar
behavioral1/memory/1628-156-0x0000000000250000-0x0000000000574000-memory.dmp	family_quasar
behavioral1/memory/1532-167-0x00000000003E0000-0x0000000000704000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
1416	RuntimeBroker.exe
2784	RuntimeBroker.exe
1052	RuntimeBroker.exe
2052	RuntimeBroker.exe
1968	RuntimeBroker.exe
308	RuntimeBroker.exe
1328	RuntimeBroker.exe
1496	RuntimeBroker.exe
2692	RuntimeBroker.exe
2236	RuntimeBroker.exe
2624	RuntimeBroker.exe
1284	RuntimeBroker.exe
2536	RuntimeBroker.exe
1628	RuntimeBroker.exe
1532	RuntimeBroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\devtun\RuntimeBroker.exe	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
File opened for modification	C:\Windows\system32\devtun\RuntimeBroker.exe	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
760	PING.EXE
2332	PING.EXE
1456	PING.EXE
1652	PING.EXE
604	PING.EXE
3008	PING.EXE
2012	PING.EXE
2904	PING.EXE
1952	PING.EXE
1656	PING.EXE
2912	PING.EXE
2584	PING.EXE
1744	PING.EXE
2232	PING.EXE
2716	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2912	PING.EXE
1744	PING.EXE
2904	PING.EXE
1456	PING.EXE
3008	PING.EXE
2584	PING.EXE
2332	PING.EXE
1656	PING.EXE
760	PING.EXE
1952	PING.EXE
1652	PING.EXE
2716	PING.EXE
604	PING.EXE
2232	PING.EXE
2012	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2976	schtasks.exe
2916	schtasks.exe
1976	schtasks.exe
2476	schtasks.exe
2596	schtasks.exe
1256	schtasks.exe
2432	schtasks.exe
1268	schtasks.exe
1968	schtasks.exe
2552	schtasks.exe
2428	schtasks.exe
2008	schtasks.exe
2260	schtasks.exe
2128	schtasks.exe
1496	schtasks.exe
1768	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
Token: SeDebugPrivilege	1416	RuntimeBroker.exe
Token: SeDebugPrivilege	2784	RuntimeBroker.exe
Token: SeDebugPrivilege	1052	RuntimeBroker.exe
Token: SeDebugPrivilege	2052	RuntimeBroker.exe
Token: SeDebugPrivilege	1968	RuntimeBroker.exe
Token: SeDebugPrivilege	308	RuntimeBroker.exe
Token: SeDebugPrivilege	1328	RuntimeBroker.exe
Token: SeDebugPrivilege	1496	RuntimeBroker.exe
Token: SeDebugPrivilege	2692	RuntimeBroker.exe
Token: SeDebugPrivilege	2236	RuntimeBroker.exe
Token: SeDebugPrivilege	2624	RuntimeBroker.exe
Token: SeDebugPrivilege	1284	RuntimeBroker.exe
Token: SeDebugPrivilege	2536	RuntimeBroker.exe
Token: SeDebugPrivilege	1628	RuntimeBroker.exe
Token: SeDebugPrivilege	1532	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2552	2272	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	30
PID 2272 wrote to memory of 2552	2272	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	30
PID 2272 wrote to memory of 2552	2272	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	30
PID 2272 wrote to memory of 1416	2272	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	32
PID 2272 wrote to memory of 1416	2272	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	32
PID 2272 wrote to memory of 1416	2272	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	32
PID 1416 wrote to memory of 1496	1416	RuntimeBroker.exe	33
PID 1416 wrote to memory of 1496	1416	RuntimeBroker.exe	33
PID 1416 wrote to memory of 1496	1416	RuntimeBroker.exe	33
PID 1416 wrote to memory of 2816	1416	RuntimeBroker.exe	35
PID 1416 wrote to memory of 2816	1416	RuntimeBroker.exe	35
PID 1416 wrote to memory of 2816	1416	RuntimeBroker.exe	35
PID 2816 wrote to memory of 2936	2816	cmd.exe	37
PID 2816 wrote to memory of 2936	2816	cmd.exe	37
PID 2816 wrote to memory of 2936	2816	cmd.exe	37
PID 2816 wrote to memory of 3008	2816	cmd.exe	38
PID 2816 wrote to memory of 3008	2816	cmd.exe	38
PID 2816 wrote to memory of 3008	2816	cmd.exe	38
PID 2816 wrote to memory of 2784	2816	cmd.exe	39
PID 2816 wrote to memory of 2784	2816	cmd.exe	39
PID 2816 wrote to memory of 2784	2816	cmd.exe	39
PID 2784 wrote to memory of 2428	2784	RuntimeBroker.exe	40
PID 2784 wrote to memory of 2428	2784	RuntimeBroker.exe	40
PID 2784 wrote to memory of 2428	2784	RuntimeBroker.exe	40
PID 2784 wrote to memory of 2676	2784	RuntimeBroker.exe	42
PID 2784 wrote to memory of 2676	2784	RuntimeBroker.exe	42
PID 2784 wrote to memory of 2676	2784	RuntimeBroker.exe	42
PID 2676 wrote to memory of 2684	2676	cmd.exe	44
PID 2676 wrote to memory of 2684	2676	cmd.exe	44
PID 2676 wrote to memory of 2684	2676	cmd.exe	44
PID 2676 wrote to memory of 1744	2676	cmd.exe	45
PID 2676 wrote to memory of 1744	2676	cmd.exe	45
PID 2676 wrote to memory of 1744	2676	cmd.exe	45
PID 2676 wrote to memory of 1052	2676	cmd.exe	46
PID 2676 wrote to memory of 1052	2676	cmd.exe	46
PID 2676 wrote to memory of 1052	2676	cmd.exe	46
PID 1052 wrote to memory of 2596	1052	RuntimeBroker.exe	47
PID 1052 wrote to memory of 2596	1052	RuntimeBroker.exe	47
PID 1052 wrote to memory of 2596	1052	RuntimeBroker.exe	47
PID 1052 wrote to memory of 2172	1052	RuntimeBroker.exe	49
PID 1052 wrote to memory of 2172	1052	RuntimeBroker.exe	49
PID 1052 wrote to memory of 2172	1052	RuntimeBroker.exe	49
PID 2172 wrote to memory of 2420	2172	cmd.exe	51
PID 2172 wrote to memory of 2420	2172	cmd.exe	51
PID 2172 wrote to memory of 2420	2172	cmd.exe	51
PID 2172 wrote to memory of 2232	2172	cmd.exe	52
PID 2172 wrote to memory of 2232	2172	cmd.exe	52
PID 2172 wrote to memory of 2232	2172	cmd.exe	52
PID 2172 wrote to memory of 2052	2172	cmd.exe	53
PID 2172 wrote to memory of 2052	2172	cmd.exe	53
PID 2172 wrote to memory of 2052	2172	cmd.exe	53
PID 2052 wrote to memory of 1256	2052	RuntimeBroker.exe	54
PID 2052 wrote to memory of 1256	2052	RuntimeBroker.exe	54
PID 2052 wrote to memory of 1256	2052	RuntimeBroker.exe	54
PID 2052 wrote to memory of 1676	2052	RuntimeBroker.exe	56
PID 2052 wrote to memory of 1676	2052	RuntimeBroker.exe	56
PID 2052 wrote to memory of 1676	2052	RuntimeBroker.exe	56
PID 1676 wrote to memory of 1980	1676	cmd.exe	58
PID 1676 wrote to memory of 1980	1676	cmd.exe	58
PID 1676 wrote to memory of 1980	1676	cmd.exe	58
PID 1676 wrote to memory of 2012	1676	cmd.exe	59
PID 1676 wrote to memory of 2012	1676	cmd.exe	59
PID 1676 wrote to memory of 2012	1676	cmd.exe	59
PID 1676 wrote to memory of 1968	1676	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
"C:\Users\Admin\AppData\Local\Temp\932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2552
- C:\Windows\system32\devtun\RuntimeBroker.exe
  "C:\Windows\system32\devtun\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1496
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGoRO0MJlvB0.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2936
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3008
  - - C:\Windows\system32\devtun\RuntimeBroker.exe
      "C:\Windows\system32\devtun\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2428
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vZp08brLctRt.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2684
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1744
      - C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FTI5IvT6PMmF.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2232
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1256
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xeU1CP4zYfMM.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2012
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Up006WgknUra.bat" "
        11⤵
        
        PID:1568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:760
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ny9b6XBN70lC.bat" "
        13⤵
        
        PID:1888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2584
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2976
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\z6iTQQiyt71G.bat" "
        15⤵
        
        PID:2524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2916
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\L5d8YZbro2QU.bat" "
        17⤵
        
        PID:2672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2904
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0C7LDbTKuGU6.bat" "
        19⤵
        
        PID:2680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1952
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\x8gXt2wNj1dF.bat" "
        21⤵
        
        PID:2248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1456
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1268
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uJbtKY2bHnjw.bat" "
        23⤵
        
        PID:1748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1652
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1968
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vIKjIQQISm2O.bat" "
        25⤵
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2716
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkBH2H5gMGZu.bat" "
        27⤵
        
        PID:2888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1656
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2128
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2tjYGituUotc.bat" "
        29⤵
        
        PID:1008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:604
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2476
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zC8lRWAOB44P.bat" "
        31⤵
        
        PID:2320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0C7LDbTKuGU6.bat

Filesize
203B

MD5
7f8bf24713e513e141eac07c08a8e88c

SHA1
58f0789dba029bf79ac78ad51c6ac010bd9356e4

SHA256
a8a2342f456b16b0cc4861d038c61c4d2cdd8fd39db8f6b24a9c9a68fcca82f9

SHA512
c6c87980de38685d8b02afcd535711d9e559af8c1230d44dd09f672b0e346bd21907cc6dbb5c7206ab4fa0c045c3ac1a4680d9e9919f803783f6f165740c2d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tjYGituUotc.bat

Filesize
203B

MD5
1437ba71a86f4f92fe5ca4d00305ca19

SHA1
59a879f96171a2ebec50e1973e9ca8e49eb03105

SHA256
238a095f18f1c47c9cbb3f7ce067ae6ab2c1a9988730f1edee7fb78ff8b982c3

SHA512
fae71d51f6d97fdff8489cd0a4cd48386e1019980d5c0541b6b7c2f335edaae83c1d975a5b1994aa9edd8e3817820e76a6e8fc7ad7b639a50bf9a245a29945ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\FTI5IvT6PMmF.bat

Filesize
203B

MD5
f6136393bc56bee633f17517fd905395

SHA1
3545fd34a19f7fb73e40219bd7220f99e87160c1

SHA256
8c36a281d54320d06240ee2217bb62e2a1cacb452a2376fcd9d012a3c733e3f4

SHA512
4e98db2ef2630d22e873eb99d4792e63fdd8328ee8ae72d086d8f03fd676c15df58cda69f75b988cde29e1a0f923dde16ab05fcaf2a4ef35512b4e2fb3ae1af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\L5d8YZbro2QU.bat

Filesize
203B

MD5
0b79be2e6d50fb70d598d488df246946

SHA1
58186e95562b42895c8f87da53c5e551d8e4350b

SHA256
ec03de7dd351ed3bed2519cec1e4fef984bb522558e968252954815344a994a8

SHA512
c7390764faee065cdb014457e161c54894e3efe49eebca7df1f2f3abc548b817574365b435dd2bc79c2d00dcbc9d80a98ab2adc0f0aeaaad6321b70414bceb00

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGoRO0MJlvB0.bat

Filesize
203B

MD5
047eaaa393e65e53e7b19fdc14ecedd8

SHA1
536bdbf1378c8e4001514ad7623cfe3864a022bc

SHA256
5b3395e83a4a15eb5cd782809a721765fac1abae1cf7260ef6478ee48629e35b

SHA512
25bfec661c4f573ed2cf9961aa58e403f0feb4a76c376bc3dbc6678892be70d544b7d00ff4942c18977ed0cb73829d5058354fd1edbf68f954e715d9d8212287

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ny9b6XBN70lC.bat

Filesize
203B

MD5
ebb945008c10775066e50a3936f64aa3

SHA1
f593dc06738c3aa9652a7dee55102942b11e45ce

SHA256
34f0fd613bc821f7149054261a88fef1f05c98a060d08968a971d348d35ebe64

SHA512
f923187bb09f3a7cd4db265af67295b8c25535c0da9031a026e70ec76e2bd15f00e88f8618ee44d40a24dbd220e25ed30f3384a6dc774d81826b7a49543c7a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkBH2H5gMGZu.bat

Filesize
203B

MD5
d454d37ab2bdae83a45e224a48bf759f

SHA1
2a953211fcdbd586d6c2b98547d999abb873808f

SHA256
2433abc4f185edd6eaffe1ff31f3b4bf35a62d87821566ee661699c3ae18a81e

SHA512
d245945f582a7f7bce6637bc8694af8647373294053b577ce0e9012ecdc8d51476a71d9775cea3e3fad367b11c9a149a4b97e8666b53cc14527bc942340fe948

Download Submit
C:\Users\Admin\AppData\Local\Temp\Up006WgknUra.bat

Filesize
203B

MD5
a6842144b0dd301aa5380254b20c7021

SHA1
372872ef07d4ac1a206521e936ead74ab5a4debc

SHA256
57ec58239187e520d7381eb5cc84f2661caed2e6aa296a9153c71395b0b60e9f

SHA512
039acf9caddf47163e9bb418bfed708aaf8b40d07edb65e5ea815019aed4ebc96c6e31dd1af4801f4f411099e6cf06d98c4a4680e37ca8a8859235e9f9667768

Download Submit
C:\Users\Admin\AppData\Local\Temp\uJbtKY2bHnjw.bat

Filesize
203B

MD5
5817d3abf858eed9483ba82e064c030e

SHA1
352ef853167a349a5e88bbe1261c0b2fb85ecbff

SHA256
cb89ceee53fac87d9a63151b67c7862c1f6c2df9d3d8ad6593356d91ac292a86

SHA512
d9e992e668c142432a9e93cd5ca5461a3b35ccfe70e3637bc7f33ae7ee8a58ee24b28535aa45c2a269d11bdb0519a9f2e484b0b26b4e57bff99301ccdcc0c410

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIKjIQQISm2O.bat

Filesize
203B

MD5
9e807d4c8e75e1eac990c3e7ea35d48b

SHA1
25d4de9820220a01734b544d6bcfd721e0b6c70c

SHA256
5a8fb79f9ca3836d2b4cff2fb433494d7a34fb4750f071b469fb4fae70069b90

SHA512
705fa00c09df43e3935c4f34a8a6dbfe3f93e7fbcf490cc223d6d85c89b62711aba60bbafbad5f780e9d3bd2490abe144e90d9812ed69fe9f2fa895ac5e53f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\vZp08brLctRt.bat

Filesize
203B

MD5
bb2fe9aff08d4c56cbb883d3cbb15292

SHA1
e99afb69e15e6f03feadbfc44bf6b3323b5510a7

SHA256
a5b32bece62636b9c8e18009379644423062606ae2179f2f2c0287056d3d4d8a

SHA512
3c4849d7f1f4a9544397acf239a3afa4444c69816fede7ac323441dc35a96ae4ce5d67eb61fe24d3125bf42b14c2d9b0245ec964e8c841d8b2dd3311f7643016

Download Submit
C:\Users\Admin\AppData\Local\Temp\x8gXt2wNj1dF.bat

Filesize
203B

MD5
8494787d873d740d24cbb15110a60fce

SHA1
212f5dca43902c638b67747d126608c97fad4dba

SHA256
5c1c666b27163e397e87f83ca0cf34ed66011ced7b669425e5e8a16f15af1bcc

SHA512
1d5f037ea3d9f83e13d37165a0209ab03e084f67b689118475a294a0b8a59a24397103b80e894b6b8281dd146287757087735fe9d89ec9cb71a14daf5a646a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\xeU1CP4zYfMM.bat

Filesize
203B

MD5
d6b3cd11acb163997243b57015058405

SHA1
49a99cf666046751000cb26d69ec223e81d7f313

SHA256
2488a25e8b51f383dfdd2d1712395e507e8f8e8505a67f8ba3d12fa50c44b2a2

SHA512
f43e8aae79f4224c92e9b8b59dfe12dc8d790654426b81c883b6cdaef9ff0b2a0ffc2389f91abd392d60cec7b4e2104d2266273259ec9843329693067c52c74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6iTQQiyt71G.bat

Filesize
203B

MD5
825a623ae2802a81ef50f436397b4bd7

SHA1
ea33bb13a47e9704a16bb557cca8dda64cb0775d

SHA256
fbb94fba99f36be838cffb124aa9d79fdf9c9249137d231aa13fc882d3f555ca

SHA512
8f3cc5d11215511a2b04eca5f47cb7c5cc18cc4b49c24166365653cdf86d67902b5d4e5bf923d98334ee5cbd2dfe6eebe77969a586f2b4fbffdc8a0d08647ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zC8lRWAOB44P.bat

Filesize
203B

MD5
8b584cb9dca607eac882aeaea9f57010

SHA1
a965e9575e06d4e74e3e39af10c10f11312488be

SHA256
a9327ee2c18cc71801cf11b4b35016b4fcc971f78e5e2aa410613a85646b6d0d

SHA512
40e24f6fac58a112452d14ddf64153df29d6b93859675b7ae92ab1fdcf778320ba1e694ae5c004a57209dd042c5d49889760124732decab9d8535d9284a18f23

Download Submit
C:\Windows\System32\devtun\RuntimeBroker.exe

Filesize
3.1MB

MD5
7ae9e9867e301a3fdd47d217b335d30f

SHA1
d8c62d8d73aeee1cbc714245f7a9a39fcfb80760

SHA256
932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

SHA512
063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

Download Submit
memory/308-67-0x0000000000870000-0x0000000000B94000-memory.dmp

Filesize
3.1MB

Download
memory/1052-33-0x00000000003F0000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/1284-135-0x0000000000ED0000-0x00000000011F4000-memory.dmp

Filesize
3.1MB

Download
memory/1328-78-0x0000000000970000-0x0000000000C94000-memory.dmp

Filesize
3.1MB

Download
memory/1416-20-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/1416-8-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/1416-9-0x0000000001320000-0x0000000001644000-memory.dmp

Filesize
3.1MB

Download
memory/1416-10-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/1496-89-0x0000000000E20000-0x0000000001144000-memory.dmp

Filesize
3.1MB

Download
memory/1532-167-0x00000000003E0000-0x0000000000704000-memory.dmp

Filesize
3.1MB

Download
memory/1628-156-0x0000000000250000-0x0000000000574000-memory.dmp

Filesize
3.1MB

Download
memory/1968-55-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download
memory/2052-44-0x0000000000FD0000-0x00000000012F4000-memory.dmp

Filesize
3.1MB

Download
memory/2236-112-0x0000000000BA0000-0x0000000000EC4000-memory.dmp

Filesize
3.1MB

Download
memory/2272-0-0x000007FEF6103000-0x000007FEF6104000-memory.dmp

Filesize
4KB

Download
memory/2272-7-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2272-2-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2272-1-0x0000000000050000-0x0000000000374000-memory.dmp

Filesize
3.1MB

Download
memory/2624-124-0x0000000000EB0000-0x00000000011D4000-memory.dmp

Filesize
3.1MB

Download
memory/2692-101-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads